tcpdump mailing list archives
Fw: print ip id
From: George Bakos <gbakos () ists dartmouth edu>
Date: Sat, 19 Apr 2003 15:27:40 -0400
This seems to have died in transit. Begin forwarded message: Date: Wed, 16 Apr 2003 18:02:06 -0400 From: George Bakos <gbakos () ists dartmouth edu> To: tcpdump-workers () tcpdump org Subject: print ip id I'm curious as to why we test for nonzero frag offset before printing the ip id, even though vflag is set. Many intrusion analysts (self-serving rant here) correlate based on ip id, and it is often an indicator of poorly crafted packets. It's absence is a pain. To avoid printing it unless REALLY desired, how about an additional test for vflag > 1 : if ((off & 0x3fff) != 0 || vflag > 1) (void)printf(", id %u", EXTRACT_16BITS(&ip->ip_id)); -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Fw: print ip id George Bakos (Apr 19)
- Re: Fw: print ip id Guy Harris (Apr 19)
- Re: Fw: print ip id George Bakos (Apr 20)
- Re: Fw: print ip id Hannes Gredler (Apr 22)
- Re: Fw: print ip id George Bakos (Apr 23)
- <Possible follow-ups>
- print ip id George Bakos (Apr 23)
- Re: Fw: print ip id Guy Harris (Apr 19)